"Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Ad Muncher" = ""C:\Program Files\Ad Muncher\AdMunch.exe" /bt" [null data] "Mmm" = ""C:\Program Files\Context\Mmm.exe"" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "iKeyWorks" = "C:\PROGRA~1\Keyboard\Ikeymain.exe" [null data] "kav" = ""C:\Program Files\Kaspersky\avp.exe"" ["Kaspersky Lab"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete" -> {HKLM...CLSID} = "IE Microsoft AutoComplete" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] "{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Ochrona WWW" -> {HKLM...CLSID} = "Ochrona WWW" \InProcServer32\(Default) = "C:\Program Files\Kaspersky\scieplugin.dll" ["Kaspersky Lab"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Kaspersky\shellex.dll" ["Kaspersky Lab"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Kaspersky\shellex.dll" ["Kaspersky Lab"] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoSMHelp" = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Help menu from Start Menu} "NoSharedDocuments" = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Remove Shared Documents from My Computer} "ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoWindowsUpdate" = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove links and access to Windows Update} "NoResolveTrack" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "LinkResolveIgnoreLinkInfo " = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoInstrumentation" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoSMMyDocs" = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Documents menu from Start Menu} "NoSMConfigurePrograms" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "ClassicShell" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} "NoFavoritesMenu" = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Favorites menu from Start Menu} "NoHelp" = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} "NoNetHood" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "HideClock" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoManageMyComputerVerb" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoCDBurning" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoStartMenuPinnedList" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoStartMenuMFUprogramsList" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoUserNameInStartMenu" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "StartmenuLogoff" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoStartMenuSubFolders" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoCommonGroups" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoPrinterTabs" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoDeletePrinter" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoAddPrinter" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoPrinters" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoNetworkConnections" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Network Connections from Start Menu} "NoClose" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoSetFolders" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoChangeStartMenu" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoViewContextMenu" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoFileMenu" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoDrives" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoControlPanel" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoShellSearchButton" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoToolbarCustomize" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars| Disable customizing browser toolbar buttons} "NoRecentDocsNetHood" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoChangeAnimation" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoChangeKeyboardNavigationIndicators" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoThemesTab" = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "ClassicShell" = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "NoSecCpl" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "DisableChangePassword" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "DisableLockWorkstation" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoDispCpl" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Remove Display in Control Panel} "NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Hide Desktop tab} "NoDispScrSavPage" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoDispAppearancePage" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoDispSettingsPage" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoVisualStyleChoice" = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "DisableStatusMessages" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "VerboseStatus" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "SynchronousMachineGroupPolicy" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "SynchronousUserGroupPolicy" = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Ochrona WWW" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Kaspersky\scieplugin.dll" ["Kaspersky Lab"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ "ButtonText" = "Ochrona WWW" Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Kaspersky Anti-Virus Home Edition 6.0, AVP, ""C:\Program Files\Kaspersky\avp.exe" -r" ["Kaspersky Lab"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ BJ Language Monitor\Driver = "cnbjmon.dll" [file not found] PJL Language Monitor\Driver = "pjlmon.dll" [file not found] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 12 seconds. ---------- (total run time: 103 seconds)